Azure AD Password spray; from attack to detection (and prevention).

Password spray is an attack method to fly under the radar of the Security detection systems.

A password spray attackis is using one common used password against a lot of different accounts (e.g. Summer2021!). A brute force attack is using multiple passwords against one account (often the Admin account), this attack is easily detected by the Security detection systems.

The attack

Verification of valid e-mail addresses

Python.exe o365creeper.py -f <input.txt> -o <output.txt>

Disclaimer: o365creeper only works with Python 2 and not with version 3!

The valid e-mail addresses are stored in the <output.txt> file.

Password spray attack

MSOLSpray is used to attack multiple users (in the <output.txt> file) with a common used password.

Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\<output.txt> -Password Summer2021!

The output shows the user account (s) who match the common used password.

Enumerate Azure AD

Even with one credential match we can read the entire Azure AD via ROADTools (all information is accessable via user permissions except MFA which requires Admin permissions).

Disclaimer: always use Conditional Access MFA for user and Admin accounts (even guest accounts), use a strict Conditional Access policy for all MFA excluded users like the root- and service-accounts (e.g. only Trusted Location access).

Detection

Azure Sentinel

We use Azure Sentinel to detect the password spray attack. Although the Microsoft 365 E5 Security products like Azure AD Identity Protection provide password spray detection the method described below works with the Microsoft 365 E3 license.

First we need the Azure Active Directory Data Connector / SigninLogs enabled.

Second we need a query (KQL) to detect successful password spray attacks (password spray attacks happens all the time but the successful is what matters).

Analytics: Incident Rule query

let IPlist = SigninLogs
| where ResultType == ‘50076’ or ResultType == ‘50126’ or ResultType == ‘50053’
| summarize USERs = make_set(Identity) by Location, IPAddress
| where USERs[10] != “”;
SigninLogs
| where IPAddress in (IPlist) and ResultType == ‘0’

The KQL will detect multiple (10+) Signin(s) attacks from a source IP address. Only the succesful logons (ResultType 0) are displayed as those accounts are compromised with 99.9% certainty (T-P).

Disclaimer: exclude the corporate public IP address(es) in the query if applicable.

Microsoft Cloud App Security

I got a second alert detection via a rule I created in MCAS (Microsoft Cloud App Security) if the root (break glass) account is used to logon to the Cloud.

Hope this blogs give some insight in password spray attacks and how to prevent and detect the attack.

Chief Technology Officer @ Nedscaper